registry  /  @newrelic/preflight  /  1.4.44

@newrelic/preflight@1.4.44

New Relic MCP server for observing AI coding assistants (Claude Code, Cursor, Windsurf, Copilot, and more)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `preflight install` configures Claude Code hook and MCP entries. The hook records AI-tool metadata and optional transcript-derived usage locally; the running service can export telemetry to New Relic.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `preflight install`/`setup`, then the configured AI-agent hooks execute.
Impact
Persistent user-level or project-level agent integration can observe tool activity and export configured telemetry.
Mechanism
First-party AI-agent hook/MCP lifecycle setup and telemetry collection.
Rationale
The malicious scanner result is not supported by source inspection: its claimed SSRF file is absent and `prepare` only invokes Husky. The package nonetheless warrants a warning because it explicitly installs persistent AI-agent hooks/MCP integration that can collect and export observability data.
Evidence
package.jsondist/index.jsdist/install/cli.jsdist/install/install-helper.jsdist/install/schedule.jsdist/hooks/collector-script.jsdist/shared/transport/http-client.jsdist/install/json-utils.js
Network endpoints3
api.newrelic.com/graphqlapi.eu.newrelic.com/graphqlinsights-collector.newrelic.com

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/install/cli.js` explicitly installs Claude Code hooks and an MCP server.
  • `dist/hooks/collector-script.js` runs as a hook, reads tool-event stdin and local Claude transcripts, then writes JSONL buffers.
  • `dist/install/schedule.js` can create user LaunchAgent jobs when invoked by CLI options.
  • `dist/shared/transport/http-client.js` sends collected telemetry to configured New Relic ingest endpoints.
Evidence against
  • `package.json` has only `prepare: husky || true`; no preinstall/install/postinstall hook.
  • `dist/index.js` dynamically routes installer behavior only for explicit `preflight install/setup/...` subcommands.
  • `dist/install/cli.js` labels install as configuring observability hooks and MCP, with explicit user commands.
  • `dist/hooks/collector-script.js` applies redaction and stores buffers with restrictive directory/file modes.
  • No `dist/security/ssrf.js` exists; the scanner's cloud-metadata hint is unsupported by package files.
  • Observed network URLs are New Relic API/collector endpoints, aligned with the package's stated telemetry function.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 145 file(s), 2.11 MB of source, external domains: 127.0.0.1, api.eu.newrelic.com, api.newrelic.com, aws.github.io, bit.ly, docs.windsurf.com, git-scm.com, github.com, hooks.slack.com, insights-collector.newrelic.com, newrelic.com, one.newrelic.com, otlp.nr-data.net, react.dev, redux-toolkit.js.org, redux.js.org, registry.npmjs.org, www.apple.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/install/schedule.jsView file
1import { execFileSync } from 'node:child_process'; L2: import { writeFileSync, readFileSync, existsSync, statSync, accessSync, constants, unlinkSync, mkdirSync, } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/install/schedule.jsView on unpkg · L1
dist/install/platform.jsView file
75} L76: // Last resort: ask cmd.exe (requires WSL interop to be enabled). L77: // Pass the full command as one string after /c so cmd.exe expands %USERPROFILE%
High
Shell

Package source references shell execution.

dist/install/platform.jsView on unpkg · L75
dist/install/setup-wizard.jsView file
23try { L24: entryPoint = realpathSync(process.argv[1] ?? process.cwd()); L25: } ... L70: function print(msg = '') { L71: process.stdout.write(msg + '\n'); L72: } ... L75: try { L76: parsed = JSON.parse(readFileSync(CONFIG_PATH, 'utf-8')); L77: } ... L171: if (mode !== 'local') { L172: const envAccountId = process.env.NEW_RELIC_ACCOUNT_ID?.trim() ?? ''; L173: const existingAccountId = typeof existing.accountId === 'string' ? existing.accountId : '';
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/install/setup-wizard.jsView on unpkg · L23
dist/security/ssrf.jsView file
1import { lookup as dnsLookup } from 'node:dns'; L2: const ALLOWED_SCHEMES = new Set(['http:', 'https:']); ... L12: const BLOCKED_METADATA_IPS = new Set(['100.100.100.200']); L13: // Matches loopback, RFC-1918 private ranges, link-local (169.254/16), and L14: // IPv4 multicast (224.0.0.0/4, i.e. 224–239.x.x.x).
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/security/ssrf.jsView on unpkg · L1
dist/install/cli.jsView file
396print(' To update, reinstall using your package manager, e.g.:'); L397: print(' npm install -g @newrelic/preflight@latest'); L398: print(' pnpm add -g @newrelic/preflight@latest'); ... L403: print('→ git pull'); L404: execFileSync('git', ['pull'], { cwd: repoRoot, stdio: 'inherit' }); L405: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/install/cli.jsView on unpkg · L396
dist/hooks/collector-script.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @newrelic/preflight@1.4.40 matchedIdentity = npm:QG5ld3JlbGljL3ByZWZsaWdodA:1.4.40 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/hooks/collector-script.jsView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/hooks/collector-script.js
HighChild Processdist/install/schedule.js
HighShelldist/install/platform.js
HighCloud Metadata Accessdist/security/ssrf.js
HighRuntime Package Installdist/install/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/install/setup-wizard.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings